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e Reproducible Builds for the JVM: 
o discovered in April 2016 (post-processing) 
ej actively working since January 2019 (Maven built-in) 
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Agenda 


e Reproducible Builds 
o what? why? how? 
e Reproducible Builds for the JVM 
(ej checking against Maven Central 
(ej configuring for Maven, Gradle, sbt 


Quiz: to be or not to be Reproducible 
e What's next? 
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Reproducible Builds: 


what? why? how? 


https://reproducible-builds.org/ (since 2013) 


e” LA Re p rod u C l ib | e a set of software development practices 
"2, 4° = U | il d S that create an independently-verifiable 


path from source to binary code 
builder reference © 


output binaries reference €> same output binaries (bit for bit) 


input source code 


rebuilder 
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Why does it matter? 


e  reproducible-builds.org: 
“allow verification that no vulnerabilities or backdoors have been introduced during the compilation 
process” 
e my own return on experience 
o you have the source, but are you really able to rebuild? 
m  isitthe real Git commit? is “Build successful” message sufficient? 
o are you sure nothing from your build environment leaked into output binaries? 
m found username, hostname, path to current directory, private key passphrase, ... 
o permits build efficiency from build cache 
e ASF policy: official source release vs convenience binaries 


o how do you audit binaries staged by release manager? “Just trust”? 
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How? 


e _reproducible-build.org: 


3. users should be given a way to recreate a close enough build environment, perform the build 
process, and validate that the output matches the original build. 


2. the set of tools used to perform the build and more generally the build environment should either 
be recorded or pre-defined. 


1. the build system needs to be made entirely deterministic. 
For example, the current date and time must not be recorded and output always has to be written in 
the same order. 
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Reproducible Builds for the JVM: 


2. check binaries: Maven Central 
1. configure build: Maven, Gradle, sbt 


httos://github.com/jvm-repo-rebuild/reproducible-central 


Ile 


2: 
rebuilding 2611 releases of 550 projects: 
o 2027 releases are confirmed fully reproducible (100% reproducible artifacts « ), 


o 584 releases are only partially reproducible (contain some unreproducible artifacts Å) 


o on 550 projects, 439 have at least one fully reproducible release, 111 have none 


httos://github.com/jvm-repo-rebuild/reproducible-central 


Rebuild Detailed Results 


roupld artifactid(s versions 
bt (s) reproducible? 


biz.aQute.bnd 8 


ch.qos.logback 10 / /6 A 


ch.qos.reload4j 
ch.qos.logback.db 


com.flowlogix 


Project: org.apache.maven.plugins:maven-javadoc-plugin 


Source code: https://github.com/apache/maven-javadoc-plugin.git 
rebuilding 8 releases of org.apache.maven.plugins:maven-javadoc-plugin: 


e 5 releases were found successfully fully reproducible (100% reproducible artifacts ./), 

e 3 had issues (some unreproducible artifacts Á, see eventual €. diffoscope and/or B issue tracker links): 

version build spec result: reproducible? size 

3.6.0 mvn jdk17 result:5 /1 Å BE  4.6M 

3.5.0 mvnjdk8w | result: 4 4.2M 

3.4.1 mvnjdk8w | result: 4.2M 

3.4.0 mvnjdk8w | result: 4.2M 

3.3.2 mvnjdk8 w | result: 4.2M 

3.381 mvn jdk8 w | result: 4.2M 

3.3.0 mvn jdk8 w | result: 41M DMMUNITY 
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./rebuild.sh <path/to/...>/<project>-<version>.buildspec 


maven-javadoc-plugin-3.5.0.buildspec X 


content > org > apache > maven > plugins > maven-javadoc-plugin > maven-javadoc-plugin-3.5.0.buildspec 
groupId=org.apache.maven.plugin 
artifactId=maven-javadoc-plugin 


display=${groupId}:${artifactId 
version=3.5.0 


gitRepo=https://github.com/apache/$tartifactId}.git 


gitTag=$(artifactId -$ version 
tool=mvn 
jdk=8 


newline=crlf 


iache-re 


issue= 


> „/rebuild.sh content/org/apache/maven/plugins/maven-javadoc-plugin/maven-javadoc-plugin-3.5.0.buildspec 
[INFO] Rebuilding from spec content/org/apache/maven/plugins/maven-javadoc-plugin/maven-javadoc-plugin-3.5.0.buildspec 
[INFO] — groupId: org.apache.maven.plugins 

[INFO] — artifactId: maven-javadoc-plugin 

[INFO] — version: 3.5.0 

[INFO] — gitRepo: https://github.com/apache/maven-javadoc-plugin.git 

[INFO] — gitTag: maven-javadoc-plugin-3.5.0 

[INFO] — tool: mvn 

[INFO] — jdk: 8 

[WARN] — timezone: Using default value: "UTC" 

[WARN] — locale: Using default value: "en US" 

[WARN] — umask: Using default value: "0002" 

[INFO] — newline: crlf 

[INFO] — command: mvn -Papache-release clean package -Dmaven.javadoc.skip -Dgpg.skip -DskipTests 

[INFO] — buildinfo: target/maven-javadoc-plugin-3.5.0.buildinfo 


[INFO] Fetching source code from Git https://github.com/apache/maven-javadoc-plugin.git on tag maven-javadoc-plugin-3.5.0 


[INFO] Rebuilder Docker image is ready for use: rb-ubuntu-2204-jdk8-mvn3.6.3-toolchains-8-hboutemy-utc-en us-0002 

[INFO] Rebuilding org.apache.maven.plugins :maven-javadoc-plugin:3.5.0 release 

[RUN ] docker run -it ——rm ——name rebuild-central -v /Users/hboutemy/dev/git/misc/reproducible-central/content/org/apache/maven/plugins/maven-javadoc-plugin/buildca 
che/maven-javadoc-plugin: /var/maven/app -v /Users/hboutemy/dev/git/misc/reproducible-central/m2: /var/maven/.m2 -v /Users/hboutemy/dev/git/misc/reproducible-central/ 
„sbt:/var/maven/.sbt -v /Users/hboutemy/dev/git/misc/reproducible-central/.npm:/.npm -v /Users/hboutemy/dev/git/misc/reproducible-central/.bnd:/.bnd -u hboutemy:20 

-e MAVEN CONFIG=/var/maven/.m2 -e MVN UMASK=0002 -w /var/maven/app rb-ubuntu-2204-jdk8-mvn3.6.3-toolchains-8-hboutemy-utc-en us-0002 /var/maven/.m2/mvncrlf —Papache 
-release clean package -Dmaven.javadoc.skip -Dgpg.skip -DskipTests -V -e org.apache.maven.plugins:maven-artifact-plugin:3.5.0: compare —Dbuildinfo. reproducible -Dcom 
pare.fail=false 

Apache Maven 3.6.3 (cecedd343002696d0abb50b32b541b8a6ba2883f) 

Maven home: /usr/local/apache-maven 

Java version: 1.8.0 362, vendor: Private Build, runtime: /usr/lib/jvm/java-8-openjdk-amd64/jre 

Default locale: en US, platform encoding: UTF-8 

OS name: "linux", version: "6.1.51-0-virt", arch: "amd64", family: "unix" 


[INFO] rebuild from content/org/apache/maven/plugins/maven-javadoc-plugin/maven-javadoc-plugin-3.5.0.buildspec 
[INFO] results in content/org/apache/maven/plugins/maven-javadoc-plugin/maven-javadoc-plugin-3.5.0.buildinfo 
[INFO] compared to Central Repository content/org/apache/maven/plugins /maven-javadoc-plugin/maven-javadoc-plugin-3.5.0.buildcompare: 
ok=4 
okFiles="maven-javadoc-plugin-3.5.0.pom maven-javadoc-plugin-3.5.0.jar maven-javadoc-plugin-3.5.0-source-release.zip maven-javadoc-plugin-3.5.0-sources. jar" 


What If a Difference is Found? 


Where is the difference? 


[ ] size mismatch maven-javadoc-plugin-3.6.0-source-release.zip: investigate with diffoscope target/referen 
0-source-release.zip target/maven-javadoc-plugin-3.6.0-source-release.zip 
[ ] Reproducible Build output summary: 5 files ok, 


What is the difference? diffoscope.or diffoscope 


liffoscope target/reference/org.apache.maven.plugins/maven-javadoc-plugin-3.6.0-source-release.zip target/ma -danthr 
—— target/reference/org.apache.maven.plugins/maven-javadoc-plugin-3.6.0-source-release.zip z a tiger > 
+++ target/maven-javadoc-plugin-3.6.0-source-release.zip 


|— zipinfo {} fi = = 
@@ -1,8 +1,8 @@ 
+Zip file size: 3607260 bytes, number of entries: 2479 
drwxr-xr-x 2.0 unx 0 b- stor 23-Sep-12 05:43 maven-javadoc-plugin-3.6.0/ 
drwxr-xr-x 2.0 unx 0 b- stor 23-Sep-12 05:43 maven-javadoc-plugin-3.6.0/src/ 
drwxr-xr-x 2.0 unx 0 b- stor 23-Sep-12 05:43 maven-javadoc-plugin-3.6.0/src/it/ 
drwxr-xr-x 2.0 unx 0 b- stor 23-Sep-12 05:43 maven-javadoc-plugin-3.6.0/src/it/mrm/ 
drwxr-xr-x 2.0 unx 0 b- stor 23-Sep-12 05:43 maven-javadoc-plugin-3.6.0/src/it/mrm/3rdparty/ 
drwxr-xr-x 2.0 unx 0 b- stor 23-Sep-12 05:43 maven-javadoc-plugin-3.6.0/src/it/mrm/3rdparty/doclet-1.0.jar/ 
drwxr-xr-x 2.0 unx 0 b- stor 23-Sep-12 05:43 maven-javadoc-plugin-3.6.0/src/it/mrm/3rdparty/doclet-1.0. jar/org/ 
GE -1503,19 +1503,17 GG 
drwxr-xr-x 2.0 unx 0 b- stor 23-Sep-12 05:43 maven-javadoc-plugin-3.6.0/src/test/resources/unit/validate-options-test/src/main/ 


Where is the difference? 
[ERROR] size mismatch maven-javadoc-plugin-3.6.0-source-release.zip: investigate with 


[ERROR] Reproducible Build output summary: 5 fi c 1 different 


What is the difference? https: 


diffoscope.or diffoscope 


In-depth comparis« 
3. Why? How to Fix? files, archives, and 
directories. 
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Reproducible Builds for the JVM: 


2. check binaries: Maven Central 
1. configure build: Maven, Gradle, sbt 


Reproducible Builds for Maven (since 03-2020) 
https://maven.apache.org/quides/mini/quide-reproducible-builds.html 


1. Enable Reproducible Builds: 


<properties> 
«project.build.outputTimestamp»2023-01-01T00:00:00Z«/project.build.outputTimestamp» 
«/properties» 


2. Check plugins known to require upgrade mvn artifact:check- EGE» 
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Checking for Reproducible Builds 


after release pushed to Maven Central: 
mvn -Papache-release -Dgpg.skip clean verify artifact:compare 


during VOTE: 


mvn -Papache-release -Dgpg.skip clean verify artifact:compare 
-Dreference.repo=https://repository.apache.org/content/repositories/stagin 


during SNAPSHOT development: 


Check locally if you get the same result twice 
mvn clean install 
mvn clean verify artifact:compare 


ideally (harder): rebuilder on a different machine, or Docker, to detect more subtle environment 
impact 
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Reproducible Builds for Gradle 


e since Gradle 3.4 


E Kotlin tir Groovy 


ter build. gradle 


tasks.withType(AbstractArchiveTask).configureEach { 
preserveFileTimestamps = false 
reproducibleFileOrder = true 
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Project: 


Source code: 
» This project defines 8 modules: 
rebuilding 18 releases of org.mockito:mockito-core: 


e 15 releases were found successfully fully reproducible (100% reproducible artifacts -  ), 
e 3 had issues (some unreproducible artifacts A, see eventual 8. diffoscope and/or E issue tracker links) 


version : reproducible? size 


A® 


Need Help! 


Project: 


Source code: 
rebuilding 2 releases of com.scalapenos:stamina, 2.11: 


e 2releases were found successfully fully reproducible (100% reproducible artifacts - ), 


e 0 had issues (some unreproducible artifacts Á, see eventual 8. diffoscope and/or |) issue tracker links): 


version : reproducible? size 


146K 


146K TY 


Need Help! E 


Quiz: 


to be or notto be Reproducible 
© 
o” “ 
d GA 
© ' © 


[ ] — (default-cli) e --- 
[ ] Saved info on build to /Users/hboutemy/dev/git/misc/reproducible-central/content/org/apa 
n/target/maven-javadoc-plugin-3.5.0.buildinfo 
[ ] Checking against reference build from central... 
central org/apache/maven/plugins/maven-j 
] Reference buildinfo file not found: it will be generated from downloaded reference artifi 
] Reference build java.version: 1.8 (from MANIFEST.MF Build-Jdk-Spec) 
] Reference build os.name: Windows (from pom.properties newline) 


[ 
[ 
[ 
[ ] Minimal buildinfo generated from downloaded artifacts: /Users/hboutemy/dev/git/misc/rep 
n/buildcache/maven-j avadoc- plugin/target/reference/maven- javadoc-plugin-3.5.0.buildinfo 

[ ] Reproducible Build output summary: 
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[ ] Reference build java.version: 1.8 (from MANIFEST.MF Build-Jdk-Spec) 

[ERROR] Current build java.version: 11 (from MANIFEST.MF Build-Jdk-Spec) 

[ ] Reference build os.name: Windows (from pom.properties newline) 

[ ] Minimal buildinfo generated from downloaded artifacts: /Users/hboutemy/dev/git/misc 
/buildcache/maven-javadoc-plugin/target/reference/maven-javadoc-plugin-3.5.0.buildinfo 
[ERROR] size mismatch maven-javadoc-plugin-3.5.0.jar: investigate with 


[ERROR] Reproducible Build output summary: 3 files ok, 1 different 
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——— target/reference/org.apache.maven.plugins/maven-javadoc-plugin-3.5.0.jar 
+++ target/maven-javadoc-plugin-3.5.0.jar 
zipinfo {} 
GE -1,10 +1,10 GE 
-Zip file size: 506940 bytes, number of entries: 102 
+Zip file size: 505348 bytes, number of entries: 102 


drwxr-xr-x 2.0 unx 0 b- stor 23-Feb-12 17:47 META-INF/ 

—rIW-r—r— 2.0 unx 351 b- defN 23-Feb-12 17:47 META-INF/MANIFEST.MF 

+-rw-r—-r—— 2.0 unx 350 b- defN 23-Feb-12 17:47 META-INF/MANIFEST.MF 

drwxr-xr-x 2.0 unx 0 b- stor 23-Feb-12 17:47 META-INF/maven/ 

drwxr-xr-x 2.0 unx 0 b- stor 23-Feb-12 17:47 META-INF/maven/org.apache.maven.plugins/ 

drwxr-xr-x 2.0 unx 0 b- stor 23-Feb-12 17:47 META-INF/maven/org.apache.maven.plugins/maven-javadoc-plugin/ 
drwxr-xr-x 2.0 unx 0 b- stor 23-Feb-12 17:47 META-INF/sisu/ 

drwxr-xr-x 2.0 unx 0 b- stor 23-Feb-12 17:47 org/ 

drwxr-xr-x 2.0 unx 0 b- stor 23-Feb-12 17:47 org/apache/ 

drwxr-xr-x 2.0 unx 0 b- stor 23-Feb-12 17:47 org/apache/maven/ 
GE -25,44 +25,44 EE 

-rw-r-—-r-—— 2.0 unx 887 b- defN 23-Feb-12 17:47 javadoc-report de.properties 

=wwr--r— 2.0 unx 1237 b- defN 23-Feb-12 17:47 javadoc-report en.properties 

=TIW-rI-r— 2.0 unx 895 b- defN 23-Feb-12 17:47 javadoc-report es.properties 

-IW-I--r— 2.0 unx 887 b- defN 23-Feb-12 17:47 javadoc-report fr.properties 

-IW-r—r— 2.0 unx 886 b- defN 23-Feb-12 17:47 javadoc-report nl.properties 

-IW-r-r— 2.0 unx 887 b- defN 23-Feb-12 17:47 javadoc-report sv.properties 

=TW-Ir—r— 2.0 unx 1065 b- defN 23-Feb-12 17:47 log4j.properties 

—[W-r-r— 2.0 unx 4788 b- defN 23-Feb-12 17:47 org/apache/maven/plugins/javadoc/AbstractFixJavadocMojo$JavaEntityTags.class 
——fw-r—r—— 2.0 unx 56443 b- defN 23-Feb-12 17:47 org/apache/maven/plugins/javadoc/AbstractFixJavadocMojo. class 
—[W-r—r— 2.0 unx 125012 b- defN 23-Feb-12 17:47 org/apache/maven/plugins/javadoc/AbstractJavadocMojo. class 
+—-rw-r—r— 2.0 unx 4782 b- defN 23-Feb-12 17:47 org/apache/maven/plugins/javadoc/AbstractFixJavadocMojo$JavaEntityTags.class 
+-rw-r—r— 2.0 unx 55968 b- defN 23-Feb-12 17:47 org/apache/maven/plugins/javadoc/AbstractFixJavadocMojo.class 
+-rw-r——r—— 2.0 unx 124307 b- defN 23-Feb-12 17:47 org/apache/maven/plugins/javadoc/AbstractJavadocMojo.class 
-rw-r—r— 2.0 unx 368 b- defN 23-Feb-12 17:47 org/apache/maven/plugins/javadoc/AdditionalDependency. class 


org/apache/maven/plugins/javadoc/options/Group.class 
javap -verbose -constants -s -l -private {} 
@@ -1,35 +1,35 68 


f 


olders/b2/nyfdb22131181lnmjt ghtpr40000gn/T/diffoscope i31qgk9 k target/tmpeve87e38 ZipContainer/Group as 


+Classfile /var/folders/b2/nyfdb2213118lnmjt ghtprao000gn/T/diffoscope 131gk9 k target/tmpf8fqgas5h ZipContainer/Group.class 
Compiled from "Group.java" 
public class org.apache.maven.plugins.javadoc.options.Group implements java.io.Serializable 
minor version: @ 
major version: 52 
flags: (0x0021) ACC PUBLIC, ACC SUPER 


Cla e r/ 
( e /var/ 


this class: #2 // org/apache/maven/plugins/javadoc/options/Group 

super class: 417 // java/lang/Object 

interfaces: 1, fields: 2, methods: 8, attributes: 1 ? 
Constant pool: 

41 = Methodref #17.#52 

#2 Class #53 


#3 Methodref 42.454 
#4 f 55 


io/Serializable 


+ #1 = Methodref #17.#51 // java/lang/Object."«init»"”:()V 


+ #2 = Class #52 // org/apache/maven/plugins/javadoc/options/Group 
+ #3 = Methodref 2.453 // org/apache/maven/plugins/javadoc/options/Group.getTitle: ()Ljava/lang/String 
+ #4 = Methodref #54.#55 // java/lang/String.equals: (Ljava/lang/Object;)Z 
+ #5 = Methodref #2.#56 // org/apache/maven/plugins/javadoc/options/Group. getPackages: ()Ljava/lang/String 
+ #6 = Fieldref #2.#57 // org/apache/maven/plugins/javadoc/options/Group.packages:Ljava/lang/String; 
+ #7 = Fieldref 2.158 // org/apache/maven/plugins/javadoc/options/Group.title:Ljava/lang/String 
+ #8 = Methodref #54.#59 // java/lang/String. hashCode: ()I 
+ #9 = Class #60 // java/lang/StringBuilder 
+ #10 = Methodref #9.#61 // java/lang/StringBuilder."<init>":(I)V 
+ #11 = String #62 // title = \' 
+ #12 = Methodref #9,#63 // java/lang/StringBuilder. append: (Ljava/lang/String; )Ljava/lang/StringBuilder; 
+ #13 = String #64 "LN, te 
+ #14 = String #65 // \n 
+ #15 = String #66 // packages = \ 
+ #16 = Methodref #9.#67 // java/lang/StringBuilder. toString: ()Ljava/lang/String; 
+ #17 = Class #68 // java/lang/Object 
+ #18 = Class #69 // java/io/Serializable 
#19 = Utf8 title 


Utf8 Ljava/lang/String; 
Utf8 packages 


META-INF/MANIFEST.MF 


Manifest-Version: 1.0 


Implementation-Title: Apache Maven Javadoc Plugir 


-Implementation-Version: 3.5.0 

-Specification-Vendor: The Apache Software Foundation 
Specification-Title: Apache Maven Javadoc Plugin 
-Bulld-JdKk-5pe 1.8 

Created-By: Maven JAR Plugin 3.3.0 


[ ] Reference build java.version: 1.8 (from MANIFEST.MF Build-Jdk-Spec) 
[ERROR] Current build java.version: 11 (from MANIFEST.MF Build-Jdk-Spec) 

] Reference build os.name: Windows (from pom.properties newline) 
[ ] Minimal buildinfo generated from downloaded artifacts: /Users/hboutemy/dev/git/misc 
/buildcache/maven-javadoc-plugin/target/reference/maven-javadoc-plugin-3.5.0.buildinfo 
[ERROR] size mismatch maven-javadoc-plugin-3.5.0.jar: investigate with 


[ERROR] Reproducible Build output summary: 3 files ok, 1 different 


target/reference/org.apache.maven.plugins/maven-shade-plugin-3.5.1-sources. jar target/maven-shade-plugin-3.5.1-sources.jar 

-— target/reference/org.apache.maven.plugins/maven-shade-plugin-3.5.1-sources.jar 
+++ target/maven-shade-plugin-3.5.1-sources.jar 
zipinfo {} 


defN 
defN 
defN 
defN 
defN 
defN 
defN 
defN 


-rw-r—r— 
-rw-r--r—- 
-rw-r-—-r—— 
-IW-I--r— 
-IW-r--r— 
-rw-r--r-- 
-rw-r--r—- 


Soe seo oo 090 9 & 


66 files, 341671 bytes uncompressed, 


23-Sep-21 
23-Sep-21 
23-Sep-21 
23-Sep-21 
23-Sep-21 
23-Sep-21 
23-Sep-21 
3-Sep 


org/apache/maven/plugins/shade/resource/properties/OpenWebBeansPropertiesTransformer. java 
org/apache/maven/plugins/shade/resource/properties/PropertiesTransformer. java 
org/apache/maven/plugins/shade/resource/properties/SortedProperties. java 
org/apache/maven/plugins/shade/resource/properties/io/NoCloseOutputStream. java 
org/apache/maven/plugins/shade/resource/properties/io/SkipPropertiesDateLineWriter. java 
OLD a sati doms A mi eto Paven. blir cals tan java 


B ME T P INF maven 


META-INF/mave 


84146 bytes compressed: 75.4% 


content > org > apache > maven > plugins > maven-shade-plugin $ maven-shade-plugin-3.5.1.buildspec 
groupId=org.apache.maven.plugins 
artifactId=maven-shade-plugin 
display=$(groupId): ${artifactId} 
version=3.5.1 


gitRepo=https://github. com/apache/${artifactId}.git 
gitTag=${artifactId}-${version} 


too l=mvn 
jdk=17 
newline=lf 
umas k=022 


command="mvn —Papache-release clean package -DskipTests -Dmaven.javadoc.skip -Dgpg. skip" 
buildinfo=target/${artifactId}-${version}.buildinfo 


issue= 
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content/com/flowlogix/flowlogix-7.0.2.buildspec 


PLEASE use for release 


] Reference build java.version: 20 (Trom MANIFE>I.MF DULLO-JOK-»pEC] 

] Reference build os.name: Unix (from pom.properties newline) 
| ] Minimal buildinfo generated from downloaded artifacts: /Users/hboutemy/dev/git 
ference/jee-examples-7.0.2.buildinfo 
[ERROR] sha512 mismatch jee-examples-7.0.2.war: investigate with 


[ERROR] Reproducible Build output summary: 11 files ok, 1 different 
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target/reference/com. f lowlogix/jee-examples-7.0.2.war jakarta-ee/jee-examples/target/jee-exa 
—— target/reference/com. flowlogix/ jee-examples-7.0.2.war 
+++ jakarta-ee/jee-examples/target/ jee-examples-7.0.2.war 
zipinfo {} 
GG -36,21 +36,21 @@ 


-rw-r——r—— 
-rw-r——-r—— 
-rw-r--r-- 
-rw-r-——-r— 
-rw-r--r—— 
-rw-r--r-- 
-rW-r--r-- 


-rw-r—r-- 
-rw-r--r-- 
-rw-r--r—- 
-rw-r——r— 
-rw-r--r-- 


-rw-r--r-- 


unx 
unx 
unx 
unx 
unx 
unx 
unx 


432 
1241 
3166 

830 

190 
1264 
2376 


23391 
30477 
37027 
42647 


827896 


defN 
defN 
defN 
defN 
defN 
defN 
defN 


23-Jun-27 
23-Jun-27 
23-Jun-27 
23-Jun-27 
23-Jun-27 
23-Jun-27 
23-Jun-27 


23-Jun-27 
23-Jun-27 
23-Jun-27 
23-Jun-27 
23-Jun-27 


23-Jun-27 


WEB-INF/classes/com/flowlogix/examples/ui/servlets 
WEB-INF/classes/com/flowlogix/logcapture/LogCaptu 
WEB-INF/classes/com/flowlogix/logcapture/LogCaptu 
WEB-INF/classes/com/flowlogix/logcapture/LogCaptu 
WEB-INF/classes/git.properties 
WEB-INF/errorpages/invalidErrorPage.xhtml 
WEB-INF/faces-config. xml 


WEB-INF/lib/flowlogix-datamodel~7.0.2-tests.jar 
WEB-INF/lib/flowlogix-datamodel~7.0.2.jar 
WEB-INF/lib/flowlogix-jee-7.0.2-tests.jar 
WEB-INF/lib/flowlogix-jee-7.0.2.jar 
WEB-INF/lib/omnifaces-4.1.jar 


WEB-INF/lib/slf4j-api-2.0.7.jar 


NM e 


What's next? 


for the JVM... 
and Beyond... 


Maven: 
(ej make more Maven plugins produce Reproducible output 
(ej help more projects enable Reproducible Builds 
Gradle: 
(ej help more projects enable Reproducible Builds 
(ej improve Reproducible Central rebuilds for these 


sbt 

npm & npmjs 

pip & PyPl 

„NET & NuGet Gallery 


COMMUNITY 


THE ASF CONFERENCE 


CODE 


for the ASF: 
please audit your binaries during VOT Es 


Herve Boutemy - lundi 2 octobre 2023 04:11:02 UTC-3 
it’s ok not to be RB perfect 


| 


but Reproducible not fully ok: reference build done with JDK 17 on *nix and umask 022 
apache-maven-3.9.5-bin.zip and .tar.gz suffer from weird umask (go-r) on wagon jars: 


$ diffoscope target/reference/org.apache. raken maven- ias 9.5-bin.zip apache-maven/target/apache-maven-3.9.5-bin.zip 
--- target/reference/org.apache.maven/apache-mav 
+++ apache-maven/target/apache-maven-3.9.5-bi 
|- Archive contents identical but files differ, possibl 
~ zipinfo () 


Herve Boutemy - lundi 2 octobre 2023 18:50:11 UTC-3 


next time will be better 


Reproducible Builds now ok: reference build done with JDK 17 on *nix and umask 022 


mvn -Papache-release -Dgpg.skip clean verify artifact: compare COMMUNITY 
-Dreference.repo=https: //repository.apache.org/content/repositories/staging/ 


Se LJ LG 


Diversity in Community is Great, 
not in Binary Code 


